I was able to find the string Jordan was referring to by opening the file in a hex editor, did a hex-ascii conversion, and applying rot13 (like Jordan) arrived at the answer.

However, that was clearly the easy part. I’m still trying to figure out how to trim it down to that particular string from the whole hex dump. Mind you, I don’t have nearly the skills Jordan clearly does.

That commandline can be sharpened up a touch … I tend to build up a commandline one step at a time, makes it easy to see what’s going on.

Once you get a good command-line solution, this can usefully form the basis of automated testing 🙂

As Jordan says, the key here is to run ndisasm over the file, and notice the ‘mov byte’ invocations. Collecting them with grep is simple, and then cut can be used to grab just the bytes themselves out.

ndisasm -u picture-puzzle.bmp | grep ‘mov byte’ | cut -d, -f2

This produces the bytes we want, one per line. To make printf’s job easier, we need to replace ‘^0x’ with ‘\x…’ (using single quotes here to make the \ safe from the shell, but still doubling it because of sed), and also replace ‘x0$’ (the null) with ‘x0a’ (LF)

… | sed -e ‘s/^0x/\\x/; s/x0$/x0a/’

The tr command is a great way to strip out all the newlines, and make this one single line for the printf command … which wraps around the whole commandline using the $() operator from bash (easier to read than the traditional shell ` backticks)

printf $(ndisadm …|tr -d ‘\n’)

Oh noes! An alphabet substitution … quickly fixed with the caesar program, which will do a quick letter frequency count to determine the correct rotation to use … in this case, it’s 13 of course.